Deep Freeze use a unique method of disk protection to preserve the exact original standard system configuration on over five million Windows and Macintosh computers worldwide!

According to the Faronics(Developers of Deep Freeze): "Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state - right down to the last byte."

However, the following is a step by step instruction on how to bypass the Deep Freeze security.

What we are going to do is to load a new instance of Deep Freeze login program and we'll change it in such a way that it will accept any password as a valid one.

Let the Play Begin

The first thing to do is to find some data that we are going to use later to load our login program instance. For this, load the Process Explorer. Once it is loaded, we can see a list of all the processes our system is running, among them is the login program called FrzState.exe or FrzState2k.exe. You may expand the tree if required to find this program. Right click over the program's name and select "Properties". A new window will be opened with the process properties.

Under the Image tab, note the property named "Command Line". Note down the value of "Command Line" including the three numbers at the end of the property for future use in this tutorial.

Run Ollydbg.

Note: Make sure that OllyScript is properly installed. Make sure that the menu "Plugins" and submenu "OllyScript" is available. If this menu doesn't appear in the program, that means the plugin is not installed properly. To install it, go to the menu "Options" and select "Appearance". In the "Plugin path" box write the address where you copied OllyScript files, press OK and restart the program.

On the 'File' menu select 'Open' and look for the login program file (remember that Process Explorer told you where it was). In the 'Arguments' box write the three numbers you've written down. Click 'Open'. If a warning message box shows up press 'OK'. If a message box is encountered with the content "Do you want to continue the code analysis?" - press 'No'.

We have successfully loaded the program. However the problem we face here is that it is protected with Aspack 2.12 due to which we cannot see the real code. To solve this, we are going to use OllyScript and the ASPack 2.12 OEP finder script. Go to the "Plugins' menu, and then to the "OllyScript" submenu and select "Run Script".

Look for the script and open it. The script will find the OEP (original entry point). If any window shows up dismiss it.

Note: We are now on the OEP. If you are an experienced user you can dump the program using OllyDump to analyze the code with a disassembler.

Right click over the code and a context menu will appear, select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).

In the text box enter the following value according to the Deep Freeze version you have installed and press OK.

This is the line from where the password verification procedure is called. Let's set a breakpoint here. To do that right click over the line and in the context menu select 'Breakpoint' and then 'Toggle' (or press F2).

We are almost done! Now let's run this new Deep Freeze login program instance. To do that press F9. If everything went right now you should see two Deep Freeze icons on the system tray next to the clock. If Deep Freeze was configured to hide it , instead of two icons you'll see an empty icon.

Note: If the icon doesn't show up is possible that you haven't written the argument three numbers correctly or that you haven't opened the right file.

Now activate the login program by double clicking over the icon while you keep the shift key pressed. If there are two icons, is important that you click over the new icon and not over the old one. The login window will appear asking for the password. Write anything in the password box and press ENTER. The breakpoing we set earlier in Ollydbg will activate and the login program will freeze.

Note: If the breakpoint doesn't activate is possible that you've chosen the wrong icon. Try with the other one.

On Ollydbg press F8 to step over the function call. On the registers window (to the right of the code) you'll see that EAX register has the value 00000000. That means the password is incorrect, let's change that. Double click over the value of EAX to open the modification window. In the 'Hexadecimal' text box write 1 and press OK.

Now press F9 to continue. If everything went right the Deep Freeze configuration dialog will show up.

Hope you all enjoyed this small journey. Please do comment on ur experience with this.

As far as the countermeasure is concerned, the following points can be considered:

Since the vulnerability discussed is all about manipulating the application exe, the product organization has to be informed at the earliest (which I have done) and the update should be applied.Assuming that there is no patch released or the new patch / version is still vulnerable, the following two points can be considered:

1. Host Management - Generally, the application (Deep Freeze) will be running under the SYSTEM credentials. So if we set a trigger to fire a mail or log, when the locally logged in user is accessing the application exe, the admin (if he is checking his mails and logs) can easily come to know about it. The only point to remember here is that the logs should not be set on the subject host as all the files (including the logs) are deleted by the Deep Freeze after restarted (under default installation). So the logs should be send to or logged in a remote machine. 2. Manual Verification - Manual verification of the application is the next solution to make sure that the system is not compromised.

Please feel free to correct me where I am wrong and come up with new countermeasures.

Excellent tutorial!!! I am very close to disabling DeepFreeze but I'm currently stuck at these steps:

Right click over the code and a context menu will appear, select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).In the text box enter the following value according to the Deep Freeze version you have installed and press OK.

VERSION/VALUE4.20.020.0598 / 40368D 4.20.120.0598 / 40368D4.20.121.0613 / 4034F5 5.20.220.1125 / 4037E9 5.30.120.1181 / 4037E9 The program will jump to the line of code.

My question is: What is the correct value for version 6.00.220.1523 and how does one find out this information?Thanks.

Do the have not who respond so?Help me ! What is the process to raid the bear the address offset of DeepFree ?Sorry, because I be the Vietnam, ought to very evil English language, all the spruce be touched all right.

on deep freeze 6.10.20.1616 there are about 30 lines of code which resemble the call frzstate line of code described for deep freeze 5. these lines begin at 0069D83A and are found at regular intervals until 0069EBOE. maybe it might be possible that one of these lines will disable the password protection if the procedure described for deep freeze 5 is followed.

Last edited by xxxxx on Thu Feb 28, 2008 12:24 pm, edited 1 time in total.

most likely it is true that deep freeze 6 has been patched but i havn't been able to locate any leads. maybe there may be some way to detect the password with some program which someone may know about.